Category Archives: CyberSecurity Career Lifecycle

At the stage in their career where they are called a “security leader”, a security person will typically have a title like Chief Information Security Officer (CISO) or the equivalent at their organization. They will be the top person in Information Security. They may have a large staff underneath them performing the security functions, or they may be the security thought leader with the operational responsibilities spread throughout the IT organization.

Either way, the security leader is responsible for working with the other executives in the “C” Suite (CIO, COO, CEO, etc…) to set priorities and budget for the long term approach to information security. The job is often more about good relationships and finding common ground for business priorities than any of the technical aspects of security. Conversations are often about risk – both real and perceived – and how those risks could affect the business.

To be an effective security leader requires both vision (to set the goals) and persuasion (to lead the organization towards the goals). These come into play not only with the executives, but with staff as well. Sharing the vision and educating others on why security matters are important part of an effective security leader’s job.

To reach this job level you must switch mindsets from a technical to a business focus. Some can make this transition, some can’t, and some want to stay in the technical world. This is more about knowing yourself and where your interests lie. Pushing a person with high interpersonal skills and a business approach into looking at a senior management position makes sense. But don’t push a person (or yourself) into management if it is not a good fit – if they (or you) purely love the technical aspects of security and want to stay there, then stay. Be happy at what you do, and proud of it.

If you’ve reached this pinnacle in the security world, you did not do it on your own. Others believed in you, mentored you, and supported you in thousands of ways both big and small. Just as others did for you, it’s time for you to mentor and support others in the security field. If you started doing this earlier in your career, kudos, and step up your efforts! Bringing up the next generations of security leaders means starting at their early and middle stages, showing them support and encouragement. It means finding those special people in the middle and architect layers and mentoring them to gain the skills and experience to move up. Get them involved, show them that they can make a difference, encourage them to continue to grow and learn. When you volunteer your time to help others grow in the security field, you will be rewarded a thousand times over.

“Entry Level: An individual who has yet to master general cybersecurity methodologies/principles. Individuals in this phase of the lifecycle may have job titles such as; associate cybersecurity analyst, associate network security analyst, and cybersecurity risk analyst for example.”

Congratulations, you finished school, got a couple certs under your belt, and made the leap into the ever-changing world of Cyber/Information Security. Welcome to the world of Jr.-this and Associate-that. Please, don’t get too hung up on job titles at this level. They really only mean something to management. The most important thing to do at this level is work and learn. I like that ISSA International defines this as “An individual who has yet to master general cybersecurity methodologies/principles.” This is spot on. At this level of the CSCL (You all remember what that stands for, right?), you need to be a Jack (or Jill)-of-all-trades.

This is also the point in the CSCL that you will have the most wiggle room in terms of movement within an organization. As you progress in your career, it will be increasingly more difficult to move laterally within an organization. We will look into that in the coming months. This is also the perfect time to create a network of contacts within the industry at all levels and throughout the world. Chapter meetings and Industry conferences are the best way to do this. Like I’ve shared before, I met the owner of the first company I worked for at a Local ISSA Chapter meeting. We all work in the same industry, but we all have different jobs. Take advantage of this vast pool of knowledge.

Finally, because you are just starting out, don’t get too enamored with “Rockstar” jobs in the industry. I can give that advice, because I was guilty of it. You can get those jobs, but remember this is Day 1. There are dues to pay first.

Next month, we’ll bring you a real-life story of what the Entry Level looked like to one of our members.

Pre-Professional: any individual who has not yet (and never has) obtained a position working in the cybersecurity field. This may include anyone who has interest in working in this area with or without formal training and education in the field. Examples of individuals and or situations who may be part of this phase are: individuals who are switching careers (former military, IT, retail, law enforcement, etc.) and students (high school or university).

Last month, I told you a little of my story in the Pre-Professional level of the Cybersecurity Career Lifecycle (CSCL). Take the time while at this level to be a sponge. Learn as much as you can, from as many sources as you can. Both ISSA International and your Local Chapter have numerous learning opportunities, take advantage of them. A good one that ISSA International offers are the CSCL Pre-Professional Virtual Meet-Ups. I’m now going to brag about my Chapter.

We offer an annual CISSP review course. The CISSP is by no means a Pre-Professional certification. However, just taking the course can lead you down your path. I would like to call out our Chapter Leadership for finding great subject-matter experts to mentor the course. Understanding the real-world application of each domain is invaluable.

Another great place to learn is from Chapter meetings. I remember a meeting we had that didn’t really interest me, based on the topic. Even after the meeting, the topic still wasn’t high on my list of things to learn about. However, the speaker that day did a tremendous job of walking us through the process she used to determine the best solution for her workplace. That was my great take away from the meeting. One day, along my CSCL, I might be tasked with determining the best solution to a pressing need. I’ll be glad that I will have had the experience of listening to the story of how she went about doing it.

To conclude, use this time to become a Jack (or Jill)-of-all-trades. As you will read in the coming months; the more you progress through the CSCL, the more specialized your work will become. Next month, we step up to the Entry Level. See you there!

“Pre-Professional: any individual who has not yet (and never has) obtained a position working in the cybersecurity field. This may include anyone who has interest in working in this area with or without formal training and education in the field. Examples of individuals and or situations who may be part of this phase are: individuals who are switching careers (former military, IT, retail, law enforcement, etc.) and students (high school or university).”

I was there once. And this stage can be very difficult. I remember attending my first Defcon conference and just being blown away at how smart everyone was. I thought, maybe information security wasn’t for me. Then I was given some great advice by someone I met, “Stop comparing my behind-the-scenes to others highlight reels.” This changed everything. Realizing that no one was born with the knowledge, and that they all had to work and put in time really put me on the right path.

I fit into both of the last categories from the Pre-Professional definition; I was looking to switch careers and I was a student. I was working as a bartender, but I decided to switch my major to Information Systems and begin studying for some of the entry-level certifications. By the time I finished my bachelors, I already had 2 CompTIA certs under my belt. This is when I found the Las Vegas ISSA Chapter. It was time to find out which part of the cybersecurity field I was best suited for. By attending meetings, I was exposed to different facets of the industry. I finally found one sector that really interested me. I was introduced to it by a Speaker at one of the meetings. I eventually got my first job in the industry with his company. It was a great experience.

In conclusion, just remember that whomever you look up into in the industry paid their dues and earned their stripes just like you are trying to do right now. Don’t be discouraged, keep moving forward. One day, you’ll have a highlight reel of your own.

Welcome to our second installment of FirstMonday. ISSA International has done a great job of creating levels within the CyberSecurity Career Lifecycle (CSCL) that are very easy to understand. Below are the levels as explained by ISSA International:

Pre-Professional: any individual who has not yet (and never has) obtained a position working in the cybersecurity field. This may include anyone who has interest in working in this area with or without formal training and education in the field. Examples of individuals and or situations who may be part of this phase are: individuals who are switching careers (former military, IT, retail, law enforcement, etc.) and students (high school or university).

Entry Level: An individual who has yet to master general cybersecurity methodologies/principles. Individuals in this phase of the lifecycle may have job titles such as; associate cybersecurity analyst, associate network security analyst, and cybersecurity risk analyst for example.

Mid-Career: An individual who has mastered general of security methodologies/principles and have determined their area of focus or specialty. Individuals in this phase of the lifecycle may have job titles such as; network security analyst, cybersecurity forensics analyst, application security engineer, network security engineer. Individuals who are nearing the “senior level”, may begin to hold job titles such as senior network security engineer, senior cybersecurity analyst for example.

Senior Level: An individual who has extensive experience in cybersecurity and has been in the profession for 10+ years. These individuals have job titles such as senior cybersecurity risk analysis, principal application security engineer, director of cybersecurity, etc.

Security Leader: An individual who has extensive security experience, ability to direct and integrate security into an organization. These individuals have job titles such as Chief Information Security Officer, Chief Cybersecurity Architect, etc. After extensive periods of leadership – some become recognized industry leaders.

Now, what does this mean to us in Las Vegas? First off, Pre-Professional and Entry Level often overlap. Many have gotten that first job while still in school. Another thing to consider is the fact that a person may have to move to many different companies throughout their CSCL. Once a person reaches a certain level, there are only so many C-suite jobs within any given company. In addition, Cybersecurity is not a static world. The people that work at each of these levels must continue to educate themselves. This is where local chapters really help. No matter what level you are at, you can always learn something.

Next month, we will dive into more of what a Pre-Professional looks like. As we go into each of the levels, there will be more real world examples of what that level actually looks like. Thank you.

This year we are going to dive into the CyberSecurity Career Lifecycle (CSCL). This initiative was put forth by ISSA International a couple years. Let’s start with the goals of ISSA International and then we’ll dive into how this can help our local membership grow in their own careers throughout the year. First the goals of the CSCL:

Reduced costs & issues associated with hiring for the wrong role vs. what is really needed by the business

Resources for companies that alleviate them from having to develop job descriptions and other materials

Understanding of the skills & knowledge necessary for success in cybersecurity jobs, as well as clear definitions of what responsibilities are necessary to meet expectations

The first goal is pretty standard. Let us create cybersecurity roles that are accepted internationally and consistent. A cybersecurity analyst in Chicago should be doing roughly the same job as an analyst in France. This helps us all speak the same language.

If we can do this, we tackle the second goal. By having standardized roles, we can reduce the time and effort it takes a company to hire the right people for the business needs. Standardized roles also help us tackle the third goal.

Imagine a company is looking for a Security Auditor, that company could essentially “copy/paste” the ISSA job description. Then that company could just tweak the job description to fit its own needs based on what compliance policies it must follow.

Personally, I feel the fourth goal is the most important, and I really appreciate the language they used. As a Pre-Professional (more on that in another post), I passed a number of certification tests. I had the knowledge, but not the skills to be successful in a cybersecurity job. As a chapter we need to help with both skills and knowledge. Here in the Las Vegas Chapter we are tackling the knowledge part by offering a CISSP Review Course. We have also been discussing a mentorship program that will give the participants the opportunity to learn the skills from a number of different people within the cybersecurity industry.

This is a quick overview of the goals of the CSCL. Next month, we will dive into some the jobs that are available in the cybersecurity field. That will be fun because there are a bunch that I bet many of us hadn’t thought of before.